Title: CORBA and CORBA Security
1CORBA andCORBA Security
- August Mayer, Graduate Project 2001
- http//corbasec.n3.net
2Contents
- CORBA
- Introduction
- History
- Products
- Concepts
- Programming
- CORBA Security
- Introduction, History
- Products
- Concepts
- Programming
3CORBA What?
- Common Object Request Broker Architecture
- Facility for interaction between objects
- on different machines
- concurrent execution
- Object model derived from OMA
- Object Management Architecture abstract
4CORBA History
- OMG Object Management Group
- founded in 1989 by a group of companies,
organizations and academia including
Hewlett-Packard, Sun, Canon - CORBA Specifications published
- 1.1 1991
- 2.0 Dec. 1994
- 2.4.2 current version (July 2001)
5CORBA Products (1/2)
- Iona Orbix, Orbacus
- OrbixWeb for Java
- new version Orbix2000
- Orbacus previously ObjectBroker, by OOC
- Inprise/Borland VisiBroker
- a version built into Netscape 4.x Browser!
- IBM Component Broker
- part of WebSphere Application Server
- etc.
6CORBA Products (2/2)
- free ORBs
- MICO MICO Is CORBA
- Univ. Frankfurt GPL
- JacORB
- Freie Univ. Berlin LGPL
- TAO The ACE ORB
- Washington Univ. in St. Louis
- Orbit
- for GNOME desktop environment GPL/LGPL
7CORBA Basic model (1/2)
- ORB Object Request Broker
- relies on Object Services
- relies on Common Facilities
8CORBA The ORB
- central facility that ties all together
- minimal functionality for location-, language-
and platform-independent communication - functions
- initial access to services, creating basic
objects, basic data types etc. - ORB.resolve_initial_references(..)
- ORB.string_to_object(..), ORB.object_to_string(..)
9CORBA Services
- provide basic services / functionalities
- currently specified (official)
Collection Service Persistent Object Service
Concurrency ServiceĀ Property Service Event
Service Query Service Externalization Service
Relationship Service
Naming Service Security Service Licensing
Service Time Service Life Cycle Service
Trading Object Service Notification Service
Transaction Service
10CORBA Facilities
- provide services on a higher level
- end-user oriented
- applicable to multiple domains
- currently specified (officially)
- Time and Internationalization
- Mobile Agent Facility
11CORBA Programming?
- write IDL (Interface Definition Language)
- compile IDL
- add object implementations
- add main programs for server, client
12CORBA IDL (1/3)
- Interface Description Language
- describes only the interfaces
- system independent
- syntax resembles to C/C/Java
- like C header files, interface in Pascal
13CORBA IDL (2/3)
- compiled by IDL compiler
- result stub, skeleton in target language
- Stub for client
- imposter of the server object
- forwards method calls etc. to remote machine, if
necessary - Skeleton
- basis for object implementation
- enables methods etc. to be also called from e.g.
a remote machine
14CORBA IDL (3/3)
// this defines the AddressBook modulemodule
AddressBook interface Person attribute
string name string sendEMail(in string
fromWhom)
15CORBA Object Implementation
- need to implement the methods and attribute
accessors defined in IDL - ImplBase method
- implementor creates class derived from generated
base class - Tie method
- implementor creates own class, attaches to the
system with a generated Tie class
16CORBA client, server main programs
- create, initialize ORB and BOA
- ORB Object Request Broker
- BOA Basic Object Adapter
- basic object, often product-dependent
- register object
- in Name service directory of CORBA objects
- in Implementation repository (Iona Orbix)
- server start server loop
- C/C dispose of object
17CORBA CORBA Security
18CORBA Security (1/3)
- Current version 1.7 (March 2001)
- Initial Version 1.1 Dec. 1997
- is a CORBA service
- has IDL descriptions
- but needs special provisions (in ORB etc.)
19CORBA Security (2/3)
- provides functions to secure the object
interactions - confidentiality
- e.g. encryption of method invocations,authenticat
ion of users and services - integrity
- accountability
- e.g. logging / auditing
20CORBA Security (3/3)
- Services provided
- identification and authentication of principals
- authorization, access control
- security auditing
- security of communications (e.g. link encryption)
- administration of security informations
- and, optionally, non-repudiation.
21CORBA Sec. Products
- MICOsec
- by ObjectSecurity, for MICO
- ORBasec
- by Adiron, for Iona Orbacus
- Iona Orbix2000
- Inprise Security Service
- and others (IBM, ...)
22CORBA Sec. Concepts (1/2)
- Principal
- represents user or service in system
- like in Kerberos
- Current
- Spec. state information for a given service and
execution environment - i.e. the current threads parameters for securely
communicating with a specific service - the only interface that is accessible in Level 1
23CORBA Sec. Concepts (2/2)
- Credentials, Delegation
- represents credentials for a given principal
- e.g. privileges, identity attributes
- Authentication
- principals establishing its credentials
- Security mechanism
- concrete method of obtaining security
- e.g. Kerberos, SSL
24CORBA Sec. Programming (1/3)
- Security Levels
- Level 1 from outside
- application can only query current status
- Java org.omg.SecurityLevel1.
- Level 2 security set up by application
- all APIs accessible
- Java org.omg.SecurityLevel2.
25CORBA Sec. Programming (2/3)
- Security API structure
- org.omg.Security common data types
- org.omg.SecurityLevel1 for Level-1 apps
- org.omg.SecurityLevel2 for Level-2 apps
- org.omg.SecurityAdmin
- querying, modifying security policies
- org.omg.NRService
- optional non-repudiation features
- org.omg.SecurityReplaceable
- for different implementations of the Security
services - protocol-specific packages SECIOP, SSLIOP,...
26CORBA Sec. Programming (3/3)
- Initial references
- PrincipalAuthenticator
- authenticate(...), continue_authentication(...)
- SecurityCurrent
- SecurityManager
- Security Attributes, Policies
- Attributes which security options are allowed,
required (e.g. Confidentiality, Integrity,...) - Policies which Credentials, Mechanism to use if
several are available
27Thanks!
- Questions?
- References
- http//www.omg.orgThe Object Management Group
- http//corbasec.n3.netThe project documentation
page